VSUB - Malware Submissions

Thursday 25th May, 2006

VS0605006 Possible new malware [Downloader]

Filed under: All, Submitted

Details on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis and the file extracted from the zip file attached to the original e-mail.

2 copies have been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

Here’s the data on the ZIP file attached:

FileName: ref 7119606.zip
FileDateTime: 25/05/2006 11:38:23
Filesize: 5115
MD5: 32447beb481aad2a670093a75d7ae82e
CRC32: 5913500A
File Type: ZIP Archive File

This is the data on the file extracted from the ZIP attachment:

FileName: ref 7119606.exe
FileDateTime: 25/05/2006 09:19:04
Filesize: 6092
MD5: 9127f478235f98b6572bd3193918e473
CRC32: 6D0A8FD7
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: ref 7119606.exe

AntiVir 6.34.1.32/20060525 found [Heuristic/Trojan.Downloader]
Authentium 4.93.8/20060525 found nothing
Avast 4.6.695.0/20060524 found nothing
AVG 386/20060524 found nothing
BitDefender 7.2/20060525 found nothing
CAT-QuickHeal 8.00/20060525 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060525 found nothing
DrWeb 4.33/20060525 found nothing
eTrust-InoculateIT 23.72.17/20060525 found nothing
eTrust-Vet 12.6.2227/20060525 found nothing
Ewido 3.5/20060525 found nothing
Fortinet 2.77.0.0/20060524 found [suspicious]
F-Prot 3.16c/20060524 found nothing
Ikarus 0.2.65.0/20060524 found [Trojan-Downloader.Win32.Harnig.bl]
Kaspersky 4.0.2.24/20060525 found nothing
McAfee 4769/20060524 found nothing
Microsoft 1.1440/20060522 found nothing
NOD32v2 1.1557/20060525 found nothing
Norman 5.90.17/20060524 found nothing
Panda 9.0.0.4/20060524 found [Suspicious file]
Sophos 4.05.0/20060525 found nothing
Symantec 8.0/20060525 found nothing
TheHacker 5.9.8.147/20060524 found nothing
UNA 1.83/20060524 found nothing
VBA32 3.11.0/20060525 found nothing

============================================================

Tuesday 23rd May, 2006

VS0605005 Possible new malware [Downloader]

Filed under: All, Submitted

Details on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: photoalbum.exe
FileDateTime: 23/05/2006 17:38:18
Filesize: 9472
MD5: 2d081ffa3e7220b02c950809aa7f2f10
CRC32: F3990804
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: photoalbum.exe

@Proventia-VPS -
AntiVir TR/Dldr.Avangt.A.2
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) Dloader.U!tr
Ikarus Trojan-Downloader.Win32.Harnig.bl
Kaspersky -
McAfee Generic Downloader.u trojan
McAfee (BETA) Generic Downloader.u trojan
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot Smitfraud-C.,,Executable

============================================================

VS0605004 Possible new malware [Mytob]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by an end user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Confirmation_Sheet.pif
FileDateTime: 23/05/2006 15:22:26
Filesize: 105472
MD5: f86115cd2ade54cdcfdbeb9037f98c43
CRC32: 44742219
File Type: PE Executable

============================================================

Scan report of: Confirmation_Sheet.pif

@Proventia-VPS -
AntiVir Worm/IRCBo.112640.1
Avast! Win32:Mytob-QG [Wrm]
AVG -
BitDefender Win32.Worm.MyTob.GF
ClamAV -
Command -
Dr Web -
eSafe Win32.Polipos.sus
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET Win32/Mytob.MR
eTrust-VET (BETA) Win32/Mytob.MR
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Backdoor.Win32.ProRat.AE
Kaspersky Net-Worm.Win32.Mytob.ep
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos W32/Mytob-HW
Symantec -
Symantec (BETA) W32.Mytob.PP@mm
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

VS0605003 Possible new malware [Mytob]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by an end user.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: Confirmation_Sheet.pif
FileDateTime: 23/05/2006 15:10:08
Filesize: 104448
MD5: 04c8947f68c3e9b616fb544a50fa2ffc
CRC32: B0B85EAA
File Type: PE Executable

============================================================

Scan report of: Confirmation_Sheet.pif

@Proventia-VPS -
AntiVir Worm/IRCBo.112640.1
Avast! Win32:Mytob-QG [Wrm]
AVG -
BitDefender -
ClamAV -
Command -
Dr Web -
eSafe Win32.Polipos.sus
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Backdoor.Win32.ProRat.AE
Kaspersky -
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman -
Panda -
Panda (BETA) -
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot -

============================================================

Wednesday 10th May, 2006

VS0605002 - Possible new malware [Downloader]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: ORDER 0228127.rar
FileDateTime: 10/05/2006 14:46:47
Filesize: 7324
MD5: be8cb6787d40d3898a17ebeda2466374
CRC32: 3CF9037B
File Type: RAR Archive File RAR

Contains:-

FileName: ORDER 0228127.exe
FileDateTime: 08/05/2006 13:50:20
Filesize: 8316
MD5: 31560115bd56e415228a84bca0c37f52
CRC32: A0BF309F
File Type: PE Executable
Packer: FSG

============================================================

Scan report of: ORDER 0228127.exe

@Proventia-VPS -
AntiVir TR/Dldr.Small.cjv.3
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web DLOADER.Trojan (probably)
eSafe Trojan/Worm [100] (suspicious)
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido -
F-Prot -
F-Secure Trojan-Downloader.Win32.Small.cul
F-Secure (BETA) Trojan-Downloader.Win32.Small.cul
Fortinet suspicious
Fortinet (BETA) suspicious
Ikarus Trojan-Downloader.Win32.Harnig.bl
Kaspersky Trojan-Downloader.Win32.Small.cul
McAfee -
McAfee (BETA) Generic Downloader.ab trojan
Microsoft -
Nod32 -
Norman -
Panda Suspicious file
Panda (BETA) Suspicious file
QuickHeal Suspicious (warning)
Sophos -
Symantec -
Symantec (BETA) Download.Trojan
Trend Micro -
Trend Micro (BETA) -
VBA32 -
VirusBuster -
YY_Spybot Smitfraud-C.,,Executable

============================================================

Tuesday 9th May, 2006

VS0605001 Possible new malware [Ardamax]

Filed under: All, Submitted

Data on a sample of a suspected new malware being spread via a link
in an e-mail.

This was caught by my Bayesian Filter.

This appears to be a spam run as I’ve received around a dozen e-mails
linking to the download site. All the e-mails have been received at
different addresses.

I have included data on a sample for your information and analysis.

1 copy has been trapped so far.

I haven’t had a chance to test it on a goat system yet.

============================================================

Details:

FileName: client.zip
FileDateTime: 09/05/2006 08:55:36
Filesize: 405562
MD5: ec17dd260473be369e2daa0b3de63a16
CRC32: 8FBCF18C
File Type: ZIP Archive File

Contains:-

FileName: PuTTy.exe
FileDateTime: 08/05/2006 23:32:46
Filesize: 413816
MD5: a4070bc5d859111320de6478c3c195ca
CRC32: 72785A3F
File Type: PE Executable

============================================================

Scan report of: PuTTy.exe

@Proventia-VPS -
AntiVir -
Avast! -
AVG -
BitDefender -
ClamAV -
Command -
Dr Web Program.Ardamax
eSafe -
eTrust-INO -
eTrust-INO (BETA) -
eTrust-VET -
eTrust-VET (BETA) -
Ewido Not-A-Virus.Monitor.Win32.Ardamax.k
F-Prot -
F-Secure -
F-Secure (BETA) -
Fortinet -
Fortinet (BETA) -
Ikarus Monitor.Win32.Ardamax.k
Kaspersky not-a-virus:Monitor.Win32.Ardamax.k
McAfee -
McAfee (BETA) -
Microsoft -
Nod32 -
Norman W32/Ardamax.ACK
Panda Application/Ardamax
Panda (BETA) Application/Ardamax
QuickHeal -
Sophos -
Symantec -
Symantec (BETA) -
Trend Micro -
Trend Micro (BETA) -
VBA32 Trojan-Dropper.VB.22 (suspected)
VirusBuster -
YY_Spybot -

============================================================

Get free blog up and running in minutes with Blogsome | Theme designs available here